[BUG] media: dvb: KASAN slab-use-after-free in dvb_frontend_do_ioctl
From: Shuangpeng
Date: Tue Jun 09 2026 - 23:32:59 EST
Hi Kernel Maintainers,
I hit the following KASAN report while testing current upstream kernel:
KASAN: slab-use-after-free in dvb_frontend_do_ioctl
on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026)
The reproducer and .config files are here.
https://gist.github.com/shuangpengbai/56637725184e4b313cd7ce9a14bd04e8
Although the report below was triggered with vidtv, I have reproduced
the similar lifetime bug pattern across a broader series of DVB
frontend drivers, like cxd2880-spi, smsdvb, DVBSky using si2168, and
GL861/Friio using tc90522.
I'm happy to test debug patches or provide additional information.
Reported-by: Shuangpeng Bai <shuangpeng.kernel@xxxxxxxxx>
[ 252.618007][ T8317] ==================================================================
[ 252.618841][ T8317] BUG: KASAN: slab-use-after-free in dvb_frontend_do_ioctl (drivers/media/dvb-core/dvb_frontend.c:2067)
[ 252.619807][ T8317] Read of size 8 at addr ffff88811be3c320 by task vidtv_frontend_/8317
[ 252.620723][ T8317]
[ 252.621036][ T8317] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 252.621039][ T8317] Call Trace:
[ 252.621054][ T8317] <TASK>
[ 252.621056][ T8317] dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
[ 252.621112][ T8317] print_report (mm/kasan/report.c:378 mm/kasan/report.c:482)
[ 252.621194][ T8317] kasan_report (mm/kasan/report.c:595)
[ 252.621202][ T8317] dvb_frontend_do_ioctl (drivers/media/dvb-core/dvb_frontend.c:2067)
[ 252.621588][ T8317] dvb_usercopy (drivers/media/dvb-core/dvbdev.c:996)
[ 252.621611][ T8317] dvb_frontend_ioctl (drivers/media/dvb-core/dvb_frontend.c:2114)
[ 252.621614][ T8317] __se_sys_ioctl (fs/ioctl.c:51 fs/ioctl.c:597 fs/ioctl.c:583)
[ 252.621618][ T8317] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
[ 252.621621][ T8317] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
[ 252.621654][ T8317] </TASK>
[ 252.621656][ T8317]
[ 252.669947][ T8317] Freed by task 8317 on cpu 0 at 252.606789s:
[ 252.670700][ T8317] kasan_save_track (mm/kasan/common.c:57 mm/kasan/common.c:78)
[ 252.671325][ T8317] kasan_save_free_info (mm/kasan/generic.c:584)
[ 252.671904][ T8317] __kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
[ 252.672463][ T8317] kfree (include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566)
[ 252.672970][ T8317] i2c_device_remove (drivers/i2c/i2c-core-base.c:630)
[ 252.673482][ T8317] device_release_driver_internal (drivers/base/dd.c:619 drivers/base/dd.c:1352 drivers/base/dd.c:1375)
[ 252.674139][ T8317] bus_remove_device (drivers/base/bus.c:657)
[ 252.674721][ T8317] device_del (drivers/base/core.c:3895)
[ 252.675233][ T8317] device_unregister (drivers/base/core.c:3936)
[ 252.675673][ T8317] vidtv_bridge_remove (drivers/media/test-drivers/vidtv/vidtv_bridge.c:556)
[ 252.676187][ T8317] device_release_driver_internal (drivers/base/dd.c:619 drivers/base/dd.c:1352 drivers/base/dd.c:1375)
[ 252.676907][ T8317] unbind_store (drivers/base/bus.c:244)
[ 252.677402][ T8317] kernfs_fop_write_iter (fs/kernfs/file.c:352)
[ 252.678054][ T8317] vfs_write (fs/read_write.c:595 fs/read_write.c:688)
[ 252.678527][ T8317] ksys_write (fs/read_write.c:740)
[ 252.678933][ T8317] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
[ 252.679374][ T8317] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
[ 252.680070][ T8317]
[ 252.680347][ T8317] The buggy address belongs to the object at ffff88811be3c000
[ 252.680347][ T8317] which belongs to the cache kmalloc-2k of size 2048
[ 252.681923][ T8317] The buggy address is located 800 bytes inside of
[ 252.681923][ T8317] freed 2048-byte region [ffff88811be3c000, ffff88811be3c800)
Best,
Shuangpeng